VSPMiner: Detec<ng Security Hazards in SEAndroid Vendor Customiza<ons via Large-Scale Supervised Machine Learning Xiangyu Liu, Yi Zhang, Yang Song Alibaba Security Whoami • Xiangyu Liu • Security Engineer @Alibaba • CUHK PhD (2016) • Academic: IEEE S&P, ACM CCS • Industry: DEF CON • Interests: Intrusion DetecMon, Mobile security • Co-author: Yi Zhang, Yang Song @Alibaba Agenda • Background • VSPMiner • EvaluaMon • Summary Background-SEAndroid • Android uses SELinux to enforce mandatory access control (MAC) over all processes. • AYer Android 4.4 • Privilege escalaMon becomes much more difficult Background-SEAndroid Framework SELinux Policy and Configura<on Files Security Server Context User Space Files Lookup Libselinux (support security policy ) … Policy Files read/write Mac Kernel Space permission SELinux Linux Record LSM Hooks Security Various Linux Configura<on Module (LSM) Kernel Services Files Background-SEAndroid Framework SELinux Policy and Configura<on Files Security Server Context User Space Files Lookup Libselinux (support security policy ) … Policy Files read/write Mac Kernel Space permission SELinux Linux Record LSM Hooks Security Various Linux Configura<on Module (LSM) Kernel Services Files Background-SEAndroid Policy • The effecMveness of SEAndroid depends on the employed policies. • allow/neverallow subject object:object_class permission • sbj, obj, obj_class, perm (for short) • Allow rules define benign operaMons • E.g.,allow appdomain app_data_file:file {read write execute} • Neverallow rules define privilege escalaMon (compile Mme) • E.g.,neverallow untrusted_app init:file {read} • Security labels <=> Concrete subjects/objects • system_file <=> /system(/.*) • system_data_file <=> /data(/.*) Vendors don’t know how to write policies @pof “Defeat SEAndroid” at Defcon 2013 Background-Refine Policy • Using audit logs • 6-tuple access pamerns • <concrete_sbj, sbj, concrete_obj, obj, obj_class, perm> • Policy engineers parse the logs to refine policy • Log access events not matched with allow rules Background-Challenges • Millions of audit logs • Expert experience • Allow benign accesses • Prevent malicious accesses • Unknown new malicious access pamerns
Description: